Skip to content

[Security] Be able to know the reasons of the denied access #35592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

[Security] Be able to know the reasons of the denied access #35592

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
26a8381
poc
maidmaid Jan 8, 2020
868b9ff
round 2
maidmaid Feb 18, 2020
edfc392
Add a "~" default filter in profiler twig view
maidmaid Mar 3, 2020
ec41df2
Fix the message deprecated
maidmaid Mar 3, 2020
842e59e
Fix a typo
maidmaid Mar 3, 2020
7339108
Fix a typo
maidmaid Mar 3, 2020
8ef8d19
Make final the Vote and the AccessDecision classes
maidmaid Mar 3, 2020
c8a360c
Fix minor
maidmaid Mar 3, 2020
c4cfb5f
Add phpdoc
maidmaid Mar 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Add phpdoc
  • Loading branch information
@maidmaid
maidmaid committed Mar 3, 2020
commit c4cfb5f273f27c3ca418d6f1249bb25cd14a9da7
15 changes: 15 additions & 0 deletions src/Symfony/Component/Security/Core/Authorization/AccessDecision.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,24 +16,39 @@
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;

/**
* An AccessDecision is returned by an AccessDecisionManager and contains the access verdict and all the related votes.
*
* @author Dany Maillard <danymaillard93b@gmail.com>
*/
final class AccessDecision
{
use AccessTrait;

/** @var Vote[] */
private $votes = [];

/**
* @param int $access One of the VoterInterface::ACCESS_* constants
* @param Vote[] $votes
*/
private function __construct(int $access, array $votes = [])
{
$this->access = $access;
$this->votes = $votes;
}

/**
* @param Vote[] $votes
*/
public static function createGranted(array $votes = []): self
{
return new self(VoterInterface::ACCESS_GRANTED, $votes);
}

/**
* @param Vote[] $votes
*/
public static function createDenied(array $votes = []): self
{
return new self(VoterInterface::ACCESS_DENIED, $votes);
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Component/Security/Core/Authorization/AccessDecisionManagerInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ interface AccessDecisionManagerInterface
* @param array $attributes An array of attributes associated with the method being invoked
* @param object $object The object to secure
*
* @return bool|AccessDecision true if the access is granted, false otherwise
* @return bool|AccessDecision Returning a boolean is deprecated since Symfony 5.1. Return an AccessDecision object instead.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This interface is not internal, so we should also be BC with the usage of the method AFAIK. I don't think we currently preserve backwards compatibility in e.g. this example:

if (!$accessDecisionManager->decide(...)) {
    throw new AccessDeniedException();
}

If an AccessDecision::createDenied() is returned, the condition !(AccessDecision::createDenied()) is false, causing the access denied exception not to be throw (while it was thrown using the old bool signature).

*/
public function decide(TokenInterface $token, array $attributes, $object = null);
}
5 changes: 4 additions & 1 deletion src/Symfony/Component/Security/Core/Authorization/Voter/AccessTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,12 @@

namespace Symfony\Component\Security\Core\Authorization\Voter;

/**
* @author Dany Maillard <danymaillard93b@gmail.com>
*/
trait AccessTrait
{
/** @var int */
/** @var int One of the VoterInterface::ACCESS_* constants */
protected $access;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be private.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Already discussed here #35592 (comment). Ok for you ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure to understand the rationale there.
If a class uses this trait, it does have write access to the private properties defined by the trait. Using protected would only serve for inheritance purpose, which is not needed here AFAIK.
Am I missing something?


public function getAccess(): int
Expand Down
9 changes: 9 additions & 0 deletions src/Symfony/Component/Security/Core/Authorization/Voter/Vote.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,22 @@

namespace Symfony\Component\Security\Core\Authorization\Voter;

/**
* A Vote is returned by a Voter and contains the access (granted, abstain or denied). It can also contains a reason
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* A Vote is returned by a Voter and contains the access (granted, abstain or denied). It can also contains a reason
* A Vote is returned by a Voter and contains the access (granted, abstain or denied).
* It can also contains a reason explaining the vote decision.

* explaining the why of the access which has been decided.
*
* @author Dany Maillard <danymaillard93b@gmail.com>
*/
final class Vote
{
use AccessTrait;

private $reason;
private $parameters;

/**
* @param int $access One of the VoterInterface::ACCESS_* constants
*/
private function __construct(int $access, string $reason = '', array $parameters = [])
{
$this->access = $access;
Expand Down
3 changes: 2 additions & 1 deletion src/Symfony/Component/Security/Core/Authorization/Voter/Voter.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*
* @author Roman Marintšenko <inoryy@gmail.com>
* @author Grégoire Pineau <lyrixx@lyrixx.info>
* @author Dany Maillard <danymaillard93b@gmail.com>
*/
abstract class Voter implements VoterInterface
{
Expand Down Expand Up @@ -89,7 +90,7 @@ abstract protected function supports(string $attribute, $subject);
*
* @param mixed $subject
*
* @return bool|Vote
* @return bool|Vote Returning a boolean is deprecated since Symfony 5.1. Return a Vote object instead.
*/
abstract protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token);
}
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy